September 1, 2022
The Log4Shell vulnerability is likely to continue impacting systems for the foreseeable future.
Log4Shell (CVE-2021-44228) was originally reported as a zero-day vulnerability in November 2021. The first patch came out on December 6th, triggering a global mitigation response as security leaders and administrators began addressing risks associated with Log4Shell exploits.
At the time, many security leaders warned that Log4Shell would likely have a complex long-term impact. The Java logging library it exploits is used in millions of corporate applications and third-party products. The process of discovering, tracking, and patching every instance of the security flaw on a corporate network involves coordinating patches between a wide range of software vendors.
The US Cybersecurity and Infrastructure Agency has recently published indicators of compromise related to the Log4Shell vulnerability found in real-world threat scenarios. These attacks targeted systems with patches and workarounds available, suggesting that application developers still have further to go before their systems are fully protected.
CISA Report Focuses on VMware Horizon and Unified Access Gateway Servers
CISAs report describes an attack scenario that uses the Log4Shell vulnerability to compromise VMWare Horizon and UAG servers. The fact that security patches and workarounds for these platforms exist suggests that victims simply failed to deploy security patches in a timely manner.
As described in our original blog post on Log4Shell, these attacks use PowerShell scripts to download malware in a way that bypasses traditional security solutions. One of the scripts deployed an open-source network scanner named Nmap, which suggests the attacker’s goals included network reconnaissance.
Log4j Vulnerability Explained: Longterm Guidance for InfoSec Leaders and Teams
Alongside the download script, CISA recovered two XML files and an executable written in Python. The XML files scheduled tasks to establish persistence on the compromised system, while the Python executable is designed to scan local IP addresses for access to connected networks.
Enterprises can’t feasibly block PowerShell scripts on their networks – too many mission-critical Windows services rely on the automation tool – and can’t easily identify malicious behavior with simple rules-based security solutions. Without granular customization from proven security experts, the rules-based approach generates a massive influx of false positives.
Log4Shell Predictions: Vulnerability May Become Entrenched
Between organizations neglecting to deploy existing patches and failing to discover affected dependencies on their networks, there is good reason to believe that Log4Shell is here to stay.
Many popular apps do not have the Log4j JavaScript logging library as a direct dependency but rely on other packages that do. As a result, developers may not even be aware that their systems are vulnerable.
But the fact that even highly visible, patch-ready systems like VMWare Horizon and UAG are being exploited suggests something else – some organizations simply aren’t giving this threat the attention it demands. As a result, these types of exploits are likely to continue occurring well into the future.
Discovering affected dependencies is a complex and time-consuming process. Protecting highly visible, public-facing systems with widely available patches and workarounds is practically free by comparison.
However, it’s likely that many organizations have already stretched their information security resources too thin to respond quickly and decisively to threats like Log4Shell. With security teams routinely overworked and a widening industry-wide talent gap in place, categorizing and prioritizing emerging threats remains a challenge.
Protect Your Organization from Log4Shell Now
Vulnerabilities like Log4Shell showcase the importance of deploying scalable security solutions that combine superior technology with on-demand human expertise. There is no way to predict when a vulnerability on the scale of Log4Shell emerges, and organizations can’t risk remaining behind vulnerable to widespread exploits like it.
At the same time, in-house enterprise cybersecurity teams rarely have enough time and resources to discover, track, and mitigate existing security risks. Unexpectedly adding new exploits to the list only contributes to the structural problems that stand between information security leaders and their goals.
Making Castra your managed detection and response vendor enables your security team to distribute its responsibilities more effectively. Gain visibility into your security posture and deploy scalable security expertise to meet the demands of your organization’s risk profile with our help.
Speak to a Castra specialist to find out more.